4.7 KiB
| title | description | keywords |
|---|---|---|
| Install a CNI plugin | Learn how to install a Container Networking Interface plugin on Docker Universal Control Plane. | ucp, cli, administration, kubectl, Kubernetes, cni, Container Networking Interface, flannel, weave, ipip, calico |
For Docker Universal Control Plane, Project Calico provides the secure networking functionality for the container communication with Kubernetes.
UCP supports certified third-party Container Networking Interface (CNI) plugins. Docker EE installs the built-in Calico plugin, but you can override that and install a Docker certified plugin.
NOTE: The --cni-installer-url option is deprecated as of UCP 3.1. It is replaced by the --unmanaged-cni option.
Install UCP with a custom CNI plugin
Modify the UCP install command-line
to add the --cni-installer-url option,
providing a URL for the location of the CNI plugin's YAML file:
docker container run --rm -it --name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
{{ page.ucp_org }}/{{ page.ucp_repo }}:{{ page.ucp_version }} install \
--host-address <node-ip-address> \
--unmanaged-cni <true|false> \
--interactive
NOTE: Setting --unmanaged-cni to true value installs UCP without a managed CNI plugin. UCP and the
Kubernetes components will be running but pod-to-pod networking will not function until a CNI plugin is manually
installed. This will impact some functionality of UCP until a CNI plugin is running.
You must provide a correct YAML installation file for the CNI plugin, but most of the default files work on Docker EE with no modification.
YAML files for CNI plugins
Use the following commands to get the YAML files for popular CNI plugins.
- Flannel
# Get the URL for the Flannel CNI plugin. CNI_URL="https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml" - Weave
If you have kubectl available, for example by using Docker for Mac, you can use the following command to get the URL for the Weave CNI plugin:# Get the URL for the Weave CNI plugin. CNI_URL="https://cloud.weave.works/k8s/net?k8s-version=Q2xpZW50IFZlcnNpb246IHZlcnNpb24uSW5mb3tNYWpvcjoiMSIsIE1pbm9yOiI5IiwgR2l0VmVyc2lvbjoidjEuOS4zIiwgR2l0Q29tbWl0OiJkMjgzNTQxNjU0NGYyOThjOTE5ZTJlYWQzYmUzZDA4NjRiNTIzMjNiIiwgR2l0VHJlZVN0YXRlOiJjbGVhbiIsIEJ1aWxkRGF0ZToiMjAxOC0wMi0wN1QxMjoyMjoyMVoiLCBHb1ZlcnNpb246ImdvMS45LjIiLCBDb21waWxlcjoiZ2MiLCBQbGF0Zm9ybToibGludXgvYW1kNjQifQpTZXJ2ZXIgVmVyc2lvbjogdmVyc2lvbi5JbmZve01ham9yOiIxIiwgTWlub3I6IjgrIiwgR2l0VmVyc2lvbjoidjEuOC4yLWRvY2tlci4xNDMrYWYwODAwNzk1OWUyY2UiLCBHaXRDb21taXQ6ImFmMDgwMDc5NTllMmNlYWUxMTZiMDk4ZWNhYTYyNGI0YjI0MjBkODgiLCBHaXRUcmVlU3RhdGU6ImNsZWFuIiwgQnVpbGREYXRlOiIyMDE4LTAyLTAxVDIzOjI2OjE3WiIsIEdvVmVyc2lvbjoiZ28xLjguMyIsIENvbXBpbGVyOiJnYyIsIFBsYXRmb3JtOiJsaW51eC9hbWQ2NCJ9Cg=="# Get the URL for the Weave CNI plugin. CNI_URL="https://cloud.weave.works/k8s/net?k8s-version=$(kubectl version | base64 | tr -d '\n')" - Romana
# Get the URL for the Romana CNI plugin. CNI_URL="https://raw.githubusercontent.com/romana/romana/master/docs/kubernetes/romana-kubeadm.yml"
Disable IP in IP overlay tunneling
The Calico CNI plugin supports both overlay (IPIP) and underlay forwarding technologies. By default, Docker UCP uses IPIP overlay tunneling.
If you're used to managing applications at the network level through the underlay visibility, or you want to reuse existing networking tools in the underlay, you may want to disable the IPIP functionality. Run the following commands on the Kubernetes master node to disable IPIP overlay tunneling.
# Exec into the Calico Kubernetes controller container.
docker exec -it $(docker ps --filter name=k8s_calico-kube-controllers_calico-kube-controllers -q) sh
# Download calicoctl
wget https://github.com/projectcalico/calicoctl/releases/download/v3.1.1/calicoctl
# Get the IP pool configuration.
./calicoctl get ippool -o yaml > ippool.yaml
# Edit the file: Disable IPIP in ippool.yaml by setting "ipipMode: Never".
# Apply the edited file to the Calico plugin.
./calicoctl apply -f ippool.yaml
These steps disable overlay tunneling, and Calico uses the underlay networking, in environments where it's supported.